/*     */ package com.zimbra.cs.account.accesscontrol;
/*     */ 
/*     */ import com.zimbra.common.account.Key.AccountBy;
/*     */ import com.zimbra.common.service.ServiceException;
/*     */ import com.zimbra.common.util.EmailUtil;
/*     */ import com.zimbra.common.util.Log;
/*     */ import com.zimbra.common.util.ZimbraLog;
/*     */ import com.zimbra.cs.account.AccessManager;
/*     */ import com.zimbra.cs.account.AccessManager.AttrRightChecker;
/*     */ import com.zimbra.cs.account.Account;
/*     */ import com.zimbra.cs.account.AuthToken;
/*     */ import com.zimbra.cs.account.Cos;
/*     */ import com.zimbra.cs.account.Domain;
/*     */ import com.zimbra.cs.account.Entry;
/*     */ import com.zimbra.cs.account.Group;
/*     */ import com.zimbra.cs.account.Group.GroupOwner;
/*     */ import com.zimbra.cs.account.MailTarget;
/*     */ import com.zimbra.cs.account.Provisioning;
/*     */ import java.util.HashSet;
/*     */ import java.util.Map;
/*     */ import java.util.Set;
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ public class GlobalAccessManager
/*     */   extends AccessManager
/*     */   implements AdminConsoleCapable
/*     */ {
/*     */   private ACLAccessManager mAclAccessManager;
/*     */   
/*     */   public GlobalAccessManager()
/*     */   {
/*     */     try
/*     */     {
/*  46 */       this.mAclAccessManager = new ACLAccessManager();
/*     */     } catch (ServiceException e) {
/*  48 */       ZimbraLog.acl.warn("unable to instaintiate ACLAccessManager, user rights will not be honored", e);
/*     */     }
/*     */   }
/*     */   
/*     */   public boolean isAdequateAdminAccount(Account acct)
/*     */   {
/*  54 */     return acct.getBooleanAttr("zimbraIsAdminAccount", false);
/*     */   }
/*     */   
/*     */   public boolean canAccessAccount(AuthToken at, Account target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/*  60 */     if (!at.isZimbraUser()) {
/*  61 */       return false;
/*     */     }
/*  63 */     checkDomainStatus(target);
/*     */     
/*  65 */     if (isGlobalAdmin(at, asAdmin)) {
/*  66 */       return true;
/*     */     }
/*  68 */     if (isParentOf(at, target)) {
/*  69 */       return true;
/*     */     }
/*  71 */     return canDo(at, target, Rights.User.R_loginAs, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessAccount(AuthToken at, Account target)
/*     */     throws ServiceException
/*     */   {
/*  77 */     return canAccessAccount(at, target, true);
/*     */   }
/*     */   
/*     */   public boolean canAccessAccount(Account credentials, Account target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/*  83 */     if (credentials == null) {
/*  84 */       return false;
/*     */     }
/*  86 */     checkDomainStatus(target);
/*     */     
/*     */ 
/*  89 */     if (AccessControlUtil.isGlobalAdmin(credentials, asAdmin)) {
/*  90 */       return true;
/*     */     }
/*     */     
/*  93 */     if (isParentOf(credentials, target)) {
/*  94 */       return true;
/*     */     }
/*  96 */     return canDo(credentials, target, Rights.User.R_loginAs, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessAccount(Account credentials, Account target)
/*     */     throws ServiceException
/*     */   {
/* 102 */     return canAccessAccount(credentials, target, true);
/*     */   }
/*     */   
/*     */   public boolean canAccessCos(AuthToken at, Cos cos) throws ServiceException
/*     */   {
/* 107 */     if (!at.isZimbraUser()) {
/* 108 */       return false;
/*     */     }
/* 110 */     return isGlobalAdmin(at);
/*     */   }
/*     */   
/*     */   public boolean canCreateGroup(AuthToken at, String groupEmail)
/*     */     throws ServiceException
/*     */   {
/* 116 */     Domain domain = Provisioning.getInstance().getDomainByEmailAddr(groupEmail);
/* 117 */     checkDomainStatus(domain);
/*     */     
/* 119 */     boolean asAdmin = true;
/* 120 */     Right rightNeeded = Rights.User.R_createDistList;
/* 121 */     Account authedAcct = AccessControlUtil.authTokenToAccount(at, rightNeeded);
/*     */     
/* 123 */     if (AccessControlUtil.isGlobalAdmin(authedAcct, asAdmin)) {
/* 124 */       return true;
/*     */     }
/*     */     
/* 127 */     return canDo(at, domain, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canCreateGroup(Account credentials, String groupEmail)
/*     */     throws ServiceException
/*     */   {
/* 133 */     Domain domain = Provisioning.getInstance().getDomainByEmailAddr(groupEmail);
/* 134 */     checkDomainStatus(domain);
/*     */     
/* 136 */     boolean asAdmin = true;
/* 137 */     Right rightNeeded = Rights.User.R_createDistList;
/* 138 */     Account authedAcct = credentials;
/*     */     
/* 140 */     if (AccessControlUtil.isGlobalAdmin(authedAcct, asAdmin)) {
/* 141 */       return true;
/*     */     }
/*     */     
/* 144 */     return canDo(credentials, domain, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessGroup(AuthToken at, Group group) throws ServiceException
/*     */   {
/* 149 */     checkDomainStatus(group);
/*     */     
/* 151 */     boolean asAdmin = true;
/* 152 */     Right rightNeeded = Group.GroupOwner.GROUP_OWNER_RIGHT;
/* 153 */     Account authedAcct = AccessControlUtil.authTokenToAccount(at, rightNeeded);
/*     */     
/* 155 */     if (AccessControlUtil.isGlobalAdmin(authedAcct, asAdmin)) {
/* 156 */       return true;
/*     */     }
/*     */     
/* 159 */     return canDo(at, group, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessGroup(Account credentials, Group group, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 165 */     checkDomainStatus(group);
/*     */     
/* 167 */     Right rightNeeded = Group.GroupOwner.GROUP_OWNER_RIGHT;
/* 168 */     Account authedAcct = credentials;
/*     */     
/* 170 */     if (AccessControlUtil.isGlobalAdmin(authedAcct, asAdmin)) {
/* 171 */       return true;
/*     */     }
/*     */     
/* 174 */     return canDo(credentials, group, rightNeeded, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canAccessDomain(AuthToken at, String domainName)
/*     */     throws ServiceException
/*     */   {
/* 180 */     if (!at.isZimbraUser())
/* 181 */       return false;
/* 182 */     checkDomainStatus(domainName);
/*     */     
/* 184 */     return isGlobalAdmin(at);
/*     */   }
/*     */   
/*     */   public boolean canAccessDomain(AuthToken at, Domain domain)
/*     */     throws ServiceException
/*     */   {
/* 190 */     if (!at.isZimbraUser())
/* 191 */       return false;
/* 192 */     checkDomainStatus(domain);
/*     */     
/* 194 */     return isGlobalAdmin(at);
/*     */   }
/*     */   
/*     */   public boolean canAccessEmail(AuthToken at, String email)
/*     */     throws ServiceException
/*     */   {
/* 200 */     String[] parts = EmailUtil.getLocalPartAndDomain(email);
/* 201 */     if (parts == null) {
/* 202 */       throw ServiceException.INVALID_REQUEST("must be valid email address: " + email, null);
/*     */     }
/*     */     
/* 205 */     Account targetAcct = Provisioning.getInstance().get(Key.AccountBy.name, email, at);
/* 206 */     if ((targetAcct != null) && 
/* 207 */       (isParentOf(at, targetAcct))) {
/* 208 */       return true;
/*     */     }
/* 210 */     return canAccessDomain(at, parts[1]);
/*     */   }
/*     */   
/*     */   public boolean canDo(MailTarget grantee, Entry target, Right rightNeeded, boolean asAdmin)
/*     */   {
/* 215 */     if ((rightNeeded != null) && (rightNeeded.isUserRight()))
/*     */     {
/* 217 */       if (this.mAclAccessManager != null) {
/* 218 */         return this.mAclAccessManager.canDo(grantee, target, rightNeeded, asAdmin);
/*     */       }
/* 220 */       return false;
/*     */     }
/* 222 */     return AccessControlUtil.isGlobalAdmin(grantee, asAdmin);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public boolean canDo(AuthToken grantee, Entry target, Right rightNeeded, boolean asAdmin)
/*     */   {
/* 229 */     Account granteeAcct = AccessControlUtil.authTokenToAccount(grantee, rightNeeded);
/* 230 */     if (granteeAcct != null) {
/* 231 */       return canDo(granteeAcct, target, rightNeeded, asAdmin);
/*     */     }
/* 233 */     return false;
/*     */   }
/*     */   
/*     */ 
/*     */   public boolean canDo(String granteeEmail, Entry target, Right rightNeeded, boolean asAdmin)
/*     */   {
/* 239 */     Account granteeAcct = AccessControlUtil.emailAddrToAccount(granteeEmail, rightNeeded);
/* 240 */     if (granteeAcct != null) {
/* 241 */       return canDo(granteeAcct, target, rightNeeded, asAdmin);
/*     */     }
/* 243 */     return false;
/*     */   }
/*     */   
/*     */   public AccessManager.AttrRightChecker getGetAttrsChecker(Account credentials, Entry target, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 249 */     if (AccessControlUtil.isGlobalAdmin(credentials, asAdmin) == Boolean.TRUE.booleanValue()) {
/* 250 */       return AllowedAttrs.ALLOW_ALL_ATTRS();
/*     */     }
/* 252 */     return AllowedAttrs.DENY_ALL_ATTRS();
/*     */   }
/*     */   
/*     */   public AccessManager.AttrRightChecker getGetAttrsChecker(AuthToken credentials, Entry target, boolean asAdmin) throws ServiceException
/*     */   {
/* 257 */     return getGetAttrsChecker(credentials.getAccount(), target, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canGetAttrs(Account credentials, Entry target, Set<String> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 263 */     return AccessControlUtil.isGlobalAdmin(credentials, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canGetAttrs(AuthToken credentials, Entry target, Set<String> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 269 */     return isGlobalAdmin(credentials, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canModifyMailQuota(AuthToken at, Account targetAccount, long mailQuota)
/*     */     throws ServiceException
/*     */   {
/* 275 */     return isGlobalAdmin(at);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrs(Account credentials, Entry target, Set<String> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 281 */     return AccessControlUtil.isGlobalAdmin(credentials, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrs(AuthToken credentials, Entry target, Set<String> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 287 */     return isGlobalAdmin(credentials, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrs(Account credentials, Entry target, Map<String, Object> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 293 */     return AccessControlUtil.isGlobalAdmin(credentials, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean canSetAttrs(AuthToken credentials, Entry target, Map<String, Object> attrs, boolean asAdmin)
/*     */     throws ServiceException
/*     */   {
/* 299 */     return isGlobalAdmin(credentials, asAdmin);
/*     */   }
/*     */   
/*     */   public boolean isDomainAdminOnly(AuthToken at)
/*     */   {
/* 304 */     return false;
/*     */   }
/*     */   
/*     */   private boolean isGlobalAdmin(AuthToken at) {
/* 308 */     return isGlobalAdmin(at, true);
/*     */   }
/*     */   
/*     */   private boolean isGlobalAdmin(AuthToken at, boolean asAdmin) {
/* 312 */     return (asAdmin) && (at.isAdmin());
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */ 
/*     */   public void getAllEffectiveRights(RightBearer rightBearer, boolean expandSetAttrs, boolean expandGetAttrs, RightCommand.AllEffectiveRights result)
/*     */     throws ServiceException
/*     */   {
/* 324 */     CollectAllEffectiveRights.getAllEffectiveRights(rightBearer, expandSetAttrs, expandGetAttrs, result);
/*     */   }
/*     */   
/*     */ 
/*     */   public void getEffectiveRights(RightBearer rightBearer, Entry target, boolean expandSetAttrs, boolean expandGetAttrs, RightCommand.EffectiveRights result)
/*     */     throws ServiceException
/*     */   {
/* 331 */     CollectEffectiveRights.getEffectiveRights(rightBearer, target, expandSetAttrs, expandGetAttrs, result);
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */   public Set<TargetType> targetTypesForGrantSearch()
/*     */   {
/* 338 */     HashSet<TargetType> tts = new HashSet();
/* 339 */     tts.add(TargetType.account);
/* 340 */     tts.add(TargetType.calresource);
/* 341 */     tts.add(TargetType.dl);
/* 342 */     tts.add(TargetType.group);
/*     */     
/* 344 */     return tts;
/*     */   }
/*     */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/account/accesscontrol/GlobalAccessManager.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */